CSIA Reviewer
Principles of Cybersecurity
3 Levels of Security
1. Personal Identity - online or offline transaction
2. Work Identity - private or public sectors
3. Government Identity - public sectors
5 Advantages of Cybersecurity Tools
 PROTECTION OF BUSINESS
 INCREASE PRODUCTIVITY
 INSPIRES CUSTOMERS CONFIDENCE
 STOPS YOUR WEBSITE FROM CRASHING
 PROTECTION OF YOUR CUSTOMERS
4 Importance of Cybersecurity
-Caused by poor security knowledge and practice:
 Identity Theft - uses the identity of a person.
 Monetary Theft - taking money of a person without
permission.
 Legal Ramifications - consequences of breaking the
law.
 Sanctions or Termination - if policies are not
followed.
3 Top vectors for vulnerabilities available to a
cybercriminal are:
 Web Browser
 IM Clients
 Web Application
Cybersecurity - the body of technologies, processes,
and practices designed to protect net.
What is a Secure System (CIA Triad)
 Confidentiality - restrict access to authorized
individuals
 Integrity - data has not been altered in an
unauthorized manner
 Availability - information can be accessed and
modified by authorized individual.
4 Cybersecurity Motivation
 Just for fun
 Demand money or ransom
 Create confusion
 Damage reputation
10 Types of Hackers:
BLACK HAT: Criminal Hackers - a cybercriminal who
breaks into computer systems with malicious or criminal
intent.
WHITE HAT: Authorized Hackers - Similar to black hat
hackers, cybersecurity experts who use their skills to
find vulnerabilities in organizational networks.
GRAY HAT: “Just for Fun” Hackers - expert who finds
ways to hack into computer networks and systems but
without the malicious intent of a black hat hacker.
GREEN HAT: Hackers in Training - someone who is new
to the hacking world but is intently focused on
increasing their cyberattack skills.
BLUE HAT: Authorized Software Hackers - hired by
organizations to bug-test a new software or system
network
RED HAT: Government-Hired Hackers - hired by
government agencies to spot vulnerabilities in security
systems.
SCRIPT KIDDIES: Amateur Hackers - don’t possess the
same level of skill or expertise as more advanced
hackers in the field.
STATE/NATION SPONSORED HACKERS: International
Threat Prevention Hackers - appointed by a country’s
government to gain access to another nation’s
computer systems.
MALICIOUS INSIDER: Whistleblower Hackers -
individuals who employ a cyberattack from within the
organization they work for.
HACKTIVISTS: Politically Motivated Hackers - someone
who hacks into government networks and systems to
draw attention to a political or social cause, “activist”.
7 Common Attacks in Cybersecurity
DOS (Denial of Service) – send multiple request (to
flood) the server request.
Malware – virus (thru email, website, malicious website)
Phishing – email links Man in the Middle – hacker
(computer and network)
Cross site script attack (Pop-up message in the website)
Password Attack – Guessing game from the hackers
3 WHAT KINDS OF THREATS ARE THERE?
Phishing - practice of creating fake emails or SMS
Social Engineering - attempting to steal information or
a person’s identity.
Malware - any kind of unwanted software that is
installed without your consent on your computer.
5 Subgroups of Malware:
Viruses - tries to infect a carrier, which in turn relies on
the carrier to spread the virus around.
Bombs - programming code that is designed to execute
or explode.
Trojans - a program or software designed to look like a
useful or legitimate file.
Worms - designed to replicate itself and disperse
throughout the user’s network.
Ransomware - that locks and encrypts a victim's data or
files.

Eavesdropping Attack – same with Man in the Middle.

Cybercrime - a generic term that refers to all criminal
SQL Injection Attack – Database
activities.

9 Types of Cybercrime:
10 How to Secure your Data
- phishing
 2-Factor Authentication
- cyberbullying
 Secure your Password
- identity theft
 Password Complexity
- credit card theft
 Regular Updates
- malware
 Updated Antivirus
- online scams
 Firewall (Company)
- harassment
 Spam Filtering (Spam Software) -cyberbullying
 Encryption -credit card theft
 Secure DNS

 Daily Backup

Threats - Any circumstances or events that can

potentially harm an information system by destroying it.

Vulnerabilities - Weakness in an information system or

its components that could be exploited
Security Policy - a set of rules, procedures, and
guidelines that dictate how an organization or system
should maintain the confidentiality.
7 Types of Security Policies
1. Acceptable Use Policy (AUP) - the acceptable and
prohibited uses of a system, network, or application.
2. Access Control Policy - Define who can access what
resources, under what conditions.
3. Remote Access Policy - a document that outlines the
rules and procedures for remote access.
4. Password Policy - a set of rules and guidelines that
define how passwords should be created, managed, and
used.
5. Physical Security Policy - outlines the procedures for
securing an organization's physical assets, such as
facilities.
6. Bring Your Own Device Policy - Outlines the rules and
procedures for employees who use their personal
devices.
7. Mobile Device Policy - Specifies the rules and
procedures for securing mobile devices used by
employees.
Security Plan - a comprehensive document that outlines
an organization's approach to managing and mitigating
information security risks.
4 Types of Security Plan
1. Disaster Recovery Plan - Outlines the steps that
should be taken to recover from a disaster.
2. Business Continuity Plan - is the steps that should be
taken to keep the business running in the event of a
disruption.
3. Incident Response Plan - Describes the procedures
that should be followed in the event of a security
breach.
4. Risk Management Plan - Identifies the risks faced by
an organization.
System Security Plan - outlines the security
controls and safeguards implemented in an
information
system to protect the confidentiality.
3 Levels of Planning Strategic
Planning - the highest level of planning, concerned with
defining the organization's long-term goals, objectives,
and overall direction.
Tactical Planning - It involves detailed planning to
achieve specific objectives.
Operational Planning - the most detailed level of
planning, focusing on day-to-day.
Planning Misalignment - a situation where there is a
lack of coherence or synchronization between different
levels of planning.
3 Causes of Planning Misalignment
-Lack of Communication - Inconsistent
communication leads to misunderstandings and
can hinder
planning.
-Competing Priorities - When priorities conflict,
resources may be misdirected.
-Resistance to Change - Pushback against new
policies can disrupt planned security measures.
Policy Development and Implementation
- integral processes within an organization's
governance framework
RISK MANAGEMENT
- the process of identifying, assessing, and
prioritizing risks followed by the coordinated
application of resources to minimize.
5 Principles of Risk Management
Risk Identification - identifying the risks presented
in a given scenario.
Risk Control - Implementing measures to mitigate
risks. It includes risk avoidance, prevention.
Risk Analysis - gathering data and assessing the
potential impact.
Risk Financing - deals with how an organization
funds its risk management efforts.
- it includes insurance, self-insurance.
Claim Management - handling claims promptly,
assessing damages
12 TYPES OF RISK MANAGEMENT
Systematic Risk - also known as market risk. the
overall impact of the market on an investment.
Unsystematic Risk - asset-specific risk, specific to
an individual investment.
Political/Regulatory Risk - arises from political
decisions and changes in regulations.
Interest Rate Risk - Fluctuations in interest rates
can affect investments.
Country Risk - specific to a particular country.
Social Risk - Social norms, movements, and
unrest can impact businesses.
Environmental Risk - the impact of changes in the
environment falls under this category.
Operational Risk - Centers on managing
operational risks like supply chain disruptions,
human errors.
Financial Risk - related to a company's capital
structure.
Management Risk - Decisions made by a
company's management team.
Legal Risk - Legal uncertainties arise from
lawsuits, regulatory compliance.
Competition - an industry affects individual
companies.
5 Risk Management Strategies
Avoidance - strategy aimed at steering clear of
potential risks.
Transfer - Shifting the risk to another party.
Insurance or contracts.
Retention - based on the likely frequency and
severity of the risks presented.
Spreading - possible to spread the risk of loss to
property and persons.
Loss Prevention and Reduction - When risk
cannot be avoided, the effect of loss can often be
minimized.
5 Components of Risk Management Framework
Identification - Identify the risks that the
organization faces.
Measurement and Assessment - Create a risk
profile for each risk that has been identified.
Mitigation - Identifying and eliminating identified
risks. focusing on those that are considered
acceptable.
Reporting and Monitoring - reexamining the risks
to make sure that the risk mitigation strategies the
organization has adopted are leading to the desired
effect.
Governance - involves ensuring the
implementation of risk mitigation techniques and
ensuring employees.
Risk Management Framework
- provides a comprehensive, flexible, repeatable,
and measurable 7-step process.
7 Steps of Risk Management Framework
Prepare - to prepare the organization to manage
security and privacy risks.
Categorize - Categorize the system and
information processed, stored.
Select - Selecting controls to safeguard the
systems and minimize.
Implement - where the selected controls are put
into place to head off risks.
Assess - assess the effectiveness of the chosen
controls and their ability.
Authorize - Tied to executive approval of the risk
mitigation mechanisms.
Monitor - Continuously monitor control
implementation and risks to the system.
7 Steps of Risk Management Framework
Prepare - to prepare the organization to manage
security and privacy risks.
Categorize - Categorize the system and
information processed, stored.
Select - Selecting controls to safeguard the
systems and minimize.
Implement - where the selected controls are put
into place to head off risks.
Assess - assess the effectiveness of the chosen
controls and their ability.
Authorize - Tied to executive approval of the risk
mitigation mechanisms.
Monitor - Continuously monitor control
implementation and risks to the system.
Analytics
- process of discovering, interpreting, and
communicating significant patterns in data.
- systematic computational analysis of data or
statistics.
3 Example of Analytics
Data Analytics - he science of analyzing raw data
to make conclusions.
Business Analytics - big data and predictive
analytics are redefining how businesses succeed.
Web Analytics - the collection, reporting, and
analysis of website data.
Automation
- the creation and application of technologies to
produce and deliver goods.
- the technique of making an apparatus, a process,
or a system operate.

3 Example of Automation
Automation System - an integration of sensors,
controls, and actuators designed to perform a
function
with minimal.
Robotics - a branch of engineering that involves
the conception, design, manufacture and operation
of robots.
Automobile - extremely vast and progressive.

Advantages
- Higher production rates
- Increased productivity
- Better product quality
- Saves time

Disadvantages
- Needs large capital expenditure
- Can become redundant
- Still requires human intervention
- Could introduce new safety hazards